From a security perspective Windows Server 2008 includes Network Access Protection (NAP). The NAP engine ensures that workstation computers that connect to your network meet minimum computer defined requirements set forth in the security policy your administrator creates.
For example, a virtual employee visits corporate HQ for the first time in four weeks with his laptop. When he hooks up to the network, he is required to update security and critical windows patches before connecting to the network. Until all this work is done, the laptop via NAP can be quarantined or denied access completely until the computer meets the minimum health requirements.
In a perfect world, all domain controllers would be in a single server room with unlimited bandwidth and power with constant surveillance. We do not live in this world and in many corporations there are quite a few satellite or branch offices throughout the country or world. In Window Server 2008, you can configure Read-Only Domain Controllers (RODC).
An RODC is a domain controller that you could install at a remote location and its sole purpose is to host a read-only copy of your Active Directory (AD) database. This method gives you peace of mind in not having to worry about the physical security of a domain controller hundreds or thousands of miles away. The RODC holds a minimal set of information and all changes made must come from a domain controller with full control that replicates to the RODC.
For example, a major car dealership could have all of their domain controllers in corporate headquarters and put an RODC in every dealership location throughout the country instead of the current common practice of a full-control domain controller. I am really excited about this feature in Windows Server 2008.